thr3ads.net - samba - [Samba] Kerberos kinit not running [Jul 2022]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2022-Jul-20 20:16 UTC

[Samba] Kerberos kinit not running

On Wed, 2022-07-20 at 21:53 +0200, Maurizio Caloro via samba
wrote:> hello Louis
> 
> Thanks first for your answer and your Script to implement Samba !!
> i have now installed from scratch debian 11 installation, but the
> same 
> result.
> 
> the Samba 4.15.7 setup are build with BIND
> 
> samba-tool dns zonecreate 192.168.10.254 10.168.192.in-addr.arpa
> Password for [CALORO\maurizio]:
> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
Did you run the samba-tool command as root ?
>    File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 
> 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py",
line
> 881, 
> in run
>      res = dns_conn.DnssrvOperation2(client_version, 0, server, None,
> 
> --
> 
> # cat /etc/krb5.conf
> [libdefaults]
>          default_realm = CALORO.M
>          dns_lookup_kdc = yes
>          dns_lookup_realm = no
>          ticket_lifetime = 24h
> 
> --
> 
> # cat /etc/bind/named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/bind-dns/named.conf";
Please post the contents of files above.
 > 
> # cat /etc/resolv.conf
> domain CALORO.M
> search CALORO.M
> nameserver 192.168.10.254
> 
> # dpkg -l | grep krb5
> ii  krb5-config                    2.6+nmu1 all         
> Configuration 
> files for Kerberos Version 5
> ii  krb5-locales                   1.18.3-6+deb11u1 all          
> internationalization support for MIT Kerberos
> ii  krb5-user                      1.18.3-6+deb11u1 amd64       
> basic 
> programs to authenticate using MIT Kerberos
> ii  libgssapi-krb5-2:amd64         1.18.3-6+deb11u1 amd64        MIT 
> Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64                1.18.3-6+deb11u1 amd64        MIT 
> Kerberos runtime libraries
> ii  libkrb5support0:amd64          1.18.3-6+deb11u1 amd64        MIT 
> Kerberos runtime libraries - Support library
> 
> bind running
> ul 20 20:41:17 TestAD named[536]: zone 10.168.192.in-addr.arpa/IN: 
> loaded serial 1
> Jul 20 20:41:17 TestAD named[536]: zone 255.in-addr.arpa/IN: loaded
> serial 1
> Jul 20 20:41:17 TestAD named[536]: zone caloro.m/IN: loaded serial 2
> Jul 20 20:41:17 TestAD named[536]: all zones loaded
> Jul 20 20:41:17 TestAD named[536]: running
> Jul 20 20:41:18 TestAD named[536]: timed out resolving
> './DNSKEY/IN': 
> 8.8.8.8#53
> Jul 20 20:41:19 TestAD named[536]: timed out resolving 
> '0.debian.pool.ntp.org/A/IN': 8.8.8.8#53
> Jul 20 20:41:19 TestAD named[536]: timed out resolving 
> '0.debian.pool.ntp.org/AAAA/IN': 8.8.8.8#53
> Jul 20 20:41:20 TestAD named[536]: resolver priming query complete
> Jul 20 20:41:21 TestAD named[536]: managed-keys-zone: Key 20326 for
> zone 
> . is now trusted (acceptance timer complete)
If that is the total shown in the logs when Bind9 starts, if it is,
then there isn't enough.

It may help if you post the output of 'testparm -s'

Rowland

Maurizio Caloro

2022-Jul-20 20:32 UTC

head link

[Samba] Kerberos kinit not running

yes i'am use this command with root

root at TestAD:/home/maurizio# samba-tool dns zonecreate 192.168.10.254 
10.168.192.in-addr.arpa
Password for [CALORO\maurizio]:
ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
186, in _run
 ??? return self.run(*args, **kwargs)
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
881,
in run
 ??? res = dns_conn.DnssrvOperation2(client_version, 0, server, None,
root at TestAD:/home/maurizio#

--

root at TestAD:/home/maurizio# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in 
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";

root at TestAD:/home/maurizio# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";

zone "caloro.m" {
 ??????? type master;
 ??????? file "/etc/bind/caloro.m";
 ??????? };

zone "10.168.192.in-addr.arpa" {
 ??????? type master;
 ??????? file "/etc/bind/reverse.caloro.m";
 ??????? };


root at TestAD:/home/maurizio# cat /etc/bind/caloro.m
;
; BIND data file for local loopback interface
;
$TTL??? 604800
@?????? IN????? SOA???? caloro.m. root.caloro.m. (
 ????????????????????????????? 2???????? ; Serial
 ???????????????????????? 604800???????? ; Refresh
 ????????????????????????? 86400???????? ; Retry
 ??????????????????????? 2419200???????? ; Expire
 ???????????????????????? 604800 )?????? ; Negative Cache TTL
;
@?????? IN????? NS????? caloro.m.
@?????? IN????? A?????? 192.168.10.254
@?????? IN????? AAAA??? ::1
testad????????? IN????? A?????? 192.168.10.254
hpelite830????? IN????? A?????? 192.168.10.88

--

root at TestAD:/home/maurizio# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
 ??????? passdb backend = samba_dsdb
 ??????? realm = TESTAD.CALORO.M
 ??????? server role = active directory domain controller
 ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
 ??????? winbind expand groups = 2
 ??????? workgroup = CALORO
 ??????? rpc_server:tcpip = no
 ??????? rpc_daemon:spoolssd = embedded
 ??????? rpc_server:spoolss = embedded
 ??????? rpc_server:winreg = embedded
 ??????? rpc_server:ntsvcs = embedded
 ??????? rpc_server:eventlog = embedded
 ??????? rpc_server:srvsvc = embedded
 ??????? rpc_server:svcctl = embedded
 ??????? rpc_server:default = external
 ??????? winbindd:use external pipes = true
 ??????? idmap_ldb:use rfc2307 = yes
 ??????? idmap config * : backend = tdb
 ??????? map archive = No
 ??????? vfs objects = dfs_samba4 acl_xattr

[sysvol]
 ??????? path = /var/lib/samba/sysvol
 ??????? read only = No

[netlogon]
 ??????? path = /var/lib/samba/sysvol/testad.caloro.m/scripts
 ??????? read only = No

root at TestAD:/home/maurizio#




thanks

Am 20.07.2022 um 22:16 schrieb Rowland Penny via samba:> On Wed, 2022-07-20 at 21:53 +0200, Maurizio Caloro via samba wrote:
>> hello Louis
>>
>> Thanks first for your answer and your Script to implement Samba !!
>> i have now installed from scratch debian 11 installation, but the
>> same
>> result.
>>
>> the Samba 4.15.7 setup are build with BIND
>>
>> samba-tool dns zonecreate 192.168.10.254 10.168.192.in-addr.arpa
>> Password for [CALORO\maurizio]:
>> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
> Did you run the samba-tool command as root ?
>
>>     File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line
>> 186, in _run
>>       return self.run(*args, **kwargs)
>>     File
"/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
>> 881,
>> in run
>>       res = dns_conn.DnssrvOperation2(client_version, 0, server, None,
>>
>> --
>>
>> # cat /etc/krb5.conf
>> [libdefaults]
>>           default_realm = CALORO.M
>>           dns_lookup_kdc = yes
>>           dns_lookup_realm = no
>>           ticket_lifetime = 24h
>>
>> --
>>
>> # cat /etc/bind/named.conf
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/bind-dns/named.conf";
> Please post the contents of files above.
>   
>> # cat /etc/resolv.conf
>> domain CALORO.M
>> search CALORO.M
>> nameserver 192.168.10.254
>>
>> # dpkg -l | grep krb5
>> ii  krb5-config                    2.6+nmu1 all
>> Configuration
>> files for Kerberos Version 5
>> ii  krb5-locales                   1.18.3-6+deb11u1 all
>> internationalization support for MIT Kerberos
>> ii  krb5-user                      1.18.3-6+deb11u1 amd64
>> basic
>> programs to authenticate using MIT Kerberos
>> ii  libgssapi-krb5-2:amd64         1.18.3-6+deb11u1 amd64        MIT
>> Kerberos runtime libraries - krb5 GSS-API Mechanism
>> ii  libkrb5-3:amd64                1.18.3-6+deb11u1 amd64        MIT
>> Kerberos runtime libraries
>> ii  libkrb5support0:amd64          1.18.3-6+deb11u1 amd64        MIT
>> Kerberos runtime libraries - Support library
>>
>> bind running
>> ul 20 20:41:17 TestAD named[536]: zone 10.168.192.in-addr.arpa/IN:
>> loaded serial 1
>> Jul 20 20:41:17 TestAD named[536]: zone 255.in-addr.arpa/IN: loaded
>> serial 1
>> Jul 20 20:41:17 TestAD named[536]: zone caloro.m/IN: loaded serial 2
>> Jul 20 20:41:17 TestAD named[536]: all zones loaded
>> Jul 20 20:41:17 TestAD named[536]: running
>> Jul 20 20:41:18 TestAD named[536]: timed out resolving
>> './DNSKEY/IN':
>> 8.8.8.8#53
>> Jul 20 20:41:19 TestAD named[536]: timed out resolving
>> '0.debian.pool.ntp.org/A/IN': 8.8.8.8#53
>> Jul 20 20:41:19 TestAD named[536]: timed out resolving
>> '0.debian.pool.ntp.org/AAAA/IN': 8.8.8.8#53
>> Jul 20 20:41:20 TestAD named[536]: resolver priming query complete
>> Jul 20 20:41:21 TestAD named[536]: managed-keys-zone: Key 20326 for
>> zone
>> . is now trusted (acceptance timer complete)
> If that is the total shown in the logs when Bind9 starts, if it is,
> then there isn't enough.
>
> It may help if you post the output of 'testparm -s'
>
> Rowland
>
>
>

samba - Jul 2022 - Kerberos kinit not running

[Samba] Kerberos kinit not running

[Samba] Kerberos kinit not running